HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.

Slides:

Advertisements

Similar presentations

H OGAN & H ARTSON, L.L.P.

Advertisements

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

Minimum Necessary Standard Version 1.0

ERISA Essentials and What to Advise Clients to Avoid Audits and be ACA Compliant.

HIPAA Compliance: from an Employer’s Perspective Presented by VGM Mark J. Higley Vice President, Development.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Rule Training

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.

1 Student Health Director Briefing Frequently Asked Questions HIPAA May 23, 2012.

HIPAA Understanding Medical Privacy in the Work Place © Copyright 2005 The Nugent Law Firm, P.C. All Rights Reserved.

Presented by the Office of the General Counsel An Overview of HIPAA.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

HIPAA Health Insurance Portability and Accountability Act.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

Are you ready for HIPPO??? Welcome to HIPAA

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

Medical Records in Court: Life after HIPAA North Carolina Conference of Superior Court Judges, October 2003 Presented by Jill Moore, UNC School of Government.

HIPAA Health Insurance Portability & Accountability Act of 1996.

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Proprietary and confidential and may not be reproduced or distributed without the express consent of Cap Gemini Ernst & Young U.S. LLC and Ernst & Young.

HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,

1 Disclosures © HIPAA Pros 2002 All rights reserved.

Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.

1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.

Health Insurance Portability and Accountability Act (HIPAA)

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

HIPAA & Public Schools New Federalism in a New Century The Challenges of Administering HIPAA in Public Schools ASTHO/NGA Center Joint Audioconference September.

HIPAA – How Will the Regulations Impact Research?.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

1 HIPAA: Privacy Regulations Addressing HIPAA at Harvard University Tina S. Sheldon Harvard University HIPAA Colloquium at Harvard University Cambridge,

Health Insurance Portability and Accountability Act (HIPAA) CCAC.

Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,

Davis Wright Tremaine LLP Case Study: Small Group Health Plan HIPAA Privacy Compliance for Employers September 15, 2003 Speaker Jason Froggatt Becky Williams.

Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

HIPAA For Provider Contracting Networks Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)

September 17, 2002© Michael Best & Friedrich LLC1 Iowa State Association of Counties HIPAA Training September 17-18, 2002 Legal Issues presented by: Ryan.

HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?

LLP 50 Beaver Street Albany, New York (518) (Phone) (518) (Fax)

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.

HIPAA Health Insurance Portability and Accountability Act.

HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.

Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.

HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.

HIPAA Privacy Rule Training

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

Iowa State Association of Counties

What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.

HIPAA CONFIDENTIALITY

HIPAA Administrative Simplification

HIPAA Pros - Disclosures

HIPAA Update J. T. Ash University of Hawaii System

Disability Services Agencies Briefing On HIPAA

National Congress on Health Care Compliance

Analysis of Final HIPAA Privacy Modification Rule

Presentation transcript:

HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa Davis Hartranft, Esq. Senior Legal Counsel Fidelity Investments August 22, 2002

Page 2 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Agenda Privacy Rule Fidelity’s HIPAA Compliance Strategy Q&A

Page 3 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Privacy Rule Standards for Privacy of Individually Identifiable Health Information Final Privacy Rule – Effective: April 14, 2001 – Compliance required: April 14, 2003 NPRM: March 27, 2002 Amendments to Final Privacy Rule – Published: August 14, 2002 – Effective: October 15, 2002

Page 4 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 General Rule “Covered Entities” must not use or disclose “Protected Health Information” Without the express permission of the individual to whom it pertains; or Except as otherwise explicitly permitted or required by the Privacy Rule.

Page 5 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Protected Health Information (PHI) Individually identifiable health information –Created/received by a covered entity or an employer –Relates to the past, present, or future  Physical or mental health consideration  Provision of health care  Payment for health care – Identifies the individual or there is a reasonable basis upon which to believe the information can be used to identify the individual – Transmitted or maintained in any form or medium Includes demographic information collected from an individual (e.g., city, county, precinct, zip code) Specifically excludes individually identifiable health information in –Education Records –Employment Records held by a covered entity in its role as employer

Page 6 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Covered Entities Health plan – an individual or group plan that provides, or pays for the cost of, medical care –Group health plans (employee welfare benefit plans under ERISA that provide medical care to employees and their dependents, directly or through insurance, reimbursement or otherwise, that has 50 or more participants or is administered by an entity other than the employer who established the plan) –health insurance issuer –HMO –issuer of long-term care policy –employee welfare benefit plan or arrangement established or maintained to offer or provide health benefits to employees of two or more employers

Page 7 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Covered Entities (cont.) Health care provider – provider of health services who transmits health information in electronic form Health care clearinghouse – entity that receives health information and processes it from non- standard to standard format (or vice versa) –billing service –community health management information system Employers/Plan Sponsors/Employee Organizations are NOT covered entities

Page 8 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Permitted Uses and Disclosures of Protected Health Information Some examples of how a covered entity may use or disclose protected health information, as expressly provided under the Privacy Rule, include the use or disclosure: – to the individual – for:  treatment (includes, but is not limited to, provision of health care, consultation between providers and referrals),  payment (includes, but is not limited to, activities undertaken to obtain premiums, reimbursements, coordination of benefits and cost sharing amounts), or  health care operations (includes, but is not limited to, activities involving quality assessment and improvement and M&A due diligence)

Page 9 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Permitted Uses and Disclosures of Protected Health Information (cont.) – pursuant to an authorization (use or disclosure must be consistent with authorization) – as required by law (includes, but is not limited to, law enforcement proceedings, domestic violence and judicial or administrative proceedings)

Page 10 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Minimum Necessary Requirements Covered entities must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose Exceptions to minimum necessary requirements for uses and disclosures – To the individual – Pursuant to an authorization initiated by the individual – To a provider for treatment purposes – To the Secretary of HHS for enforcement – Required for compliance or required by law A covered entity may reasonably rely upon another covered entity’s request (or the request of a business associate on behalf of a covered entity) for PHI as the minimum necessary for the intended disclosure

Page 11 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 General Obligations Covered Entities must: – Limit use and disclosure of Protected Health Information (PHI) – Permit individuals to access and modify their PHI, and to obtain an accounting of disclosures (accounting does not include disclosures for treatment, payment or health care operations; pursuant to an authorization; made to the individual; or pursuant to any other authorized use or disclosure) – Contract with Business Associates – Develop policies, training, sanctions, and complaint processes – Draft notices, consents and authorizations – Designate a Privacy Officer

Page 12 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Business Associates A person who performs services for or on behalf of a covered entity involving the use disclosure of PHI (including, but not limited to, claims processing, data analysis, utilization review, quality assurance, billing) – Lawyers – Accountants – Auditors – Actuaries – Consultants – Administrators – Other Contract required to assure PHI is safeguarded and used only as permitted Sample contract language in NPRM and minor modifications contained in amendments to Final Privacy Rule

Page 13 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Employers/Employee Organizations as Plan Sponsors No clear compliance framework –Employers/Employee organizations are not covered entities –Group health plans/Employee welfare benefit plans maintained for two or more employers are covered entities –Self administered plans do not operate themselves

Page 14 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Group Health Plan’s Disclosure of Protected Health Information General rule: Group health plan cannot disclose PHI to the plan sponsor (or to provide for or permit the disclosure of PHI by a health insurance issuer or HMO with respect to the group health plan), unless the plan document restricts the uses and disclosures of such PHI by the plan sponsor Exceptions: – Group health plan may disclose summary health information to the plan sponsor if the plan sponsor requests the information to:  obtain premium bids from health plans for providing health insurance coverage under the group health plan, or  modify, amend or terminate the group health plan – Group health plan may disclose to the plan sponsor an individual’s participation or enrollment/disenrollment status – Group health plan may disclose PHI to a plan sponsor pursuant to an authorization

Page 15 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Fidelity’s HIPAA Compliance Strategy Fidelity, as an employer and plan sponsor, is not subject to HIPAA because it is not a covered entity. Therefore, the first step in the compliance strategy is to identify the covered entities that are subject to HIPAA: –Medical plans (including prescription drug)  Fully insured HMOs  Self-insured PPO –Flexible Spending Accounts –Employee Assistance Program –Dental plan –Long-Term Care plan –Retiree Medical plan Other practices/programs to consider

Page 16 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Fidelity’s HIPAA Compliance Strategy (cont.) After identifying the covered entities, the next step in the compliance strategy is to document the current flow of PHI: –how/where PHI currently is used and disclosed by each covered entity –how/where PHI currently is used and disclosed by Fidelity –how/where PHI is used and disclosed by outside vendors

Page 17 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Fidelity’s HIPAA Compliance Strategy (cont.) While documenting the current flow of PHI, the following factors also are taken into account and analyzed: –Evaluate security (both internal and external) –Assess personnel needs for PHI (department(s) within the company, employee hierarchy) –Determine whether certain practices currently are in place to address State law requirements

Page 18 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Fidelity’s HIPAA Compliance Strategy (cont.) The next step in the compliance strategy involves taking an inventory of existing contracts with outside vendors to determine which ones will need to be amended to include business associate language and the timing of such amendments In addition to existing contracts, it also is necessary to determine whether there are existing relationships that will need to be memorialized into business associate agreements in light of HIPAA

Page 19 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 Other steps that will need to be taken include: – Amending plan documents and drafting certifications – Establishing/fortifying firewalls – Building systems for tracking and accounting for uses and disclosures of PHI – Drafting authorizations (no consents) – Amending contracts to include business associate sample language Fidelity’s HIPAA Compliance Strategy (cont.)

Page 20 of 20 HIPAA Compliance Strategies The HIPAA Colloquium at Harvard University August 22, 2002 – Drafting policies and procedures  Use, transfer, retention of PHI  Complaints, sanctions  Privacy notice –Training associates (ongoing) –Sending privacy notices Fidelity’s HIPAA Compliance Strategy (cont.)